Earlier this week, a jailbreak for Apple’s iPhone 4 was released to the public by a developer known as “Comex.” By visiting a special website, users are able to jailbreak their devices far more easily than they could in the past. In addition to the iPhone 4, older Apple products running iOS can also be jailbroken this way. (Jailbreaking occurs when users modify the OS of their iPad, iPhone, and iPod Touch devices to run applications without passing through Apple’s app store.)
Well-known Apple security researchers like Charlie Miller have favorably commented on the quality of the jailbreak. The jailbreak exploits two separate vulnerabilities—the first vulnerability lies in how the Safari browser handles .PDF files. .PDF files can contain a specially crafted embedded font that can cause arbitrary code execution. It appears to be related or identical to a similar Mac OS X flaw that was patched in March. A second vulnerability is used to gain elevated privileges on the device but details on this are not publicly available.
There is no reason for the same techniques jailbreak developers use to not be used by malicious users to push malware onto iOS devices. So far, no attacks have been reported but this may not be the case in the future. There has been no official word from Apple about a patch for this flaw.
Users can use Trend Micro’s Smart Surfing for iPhone application, which provides protection against malicious websites, including those targeting iOS devices. For example, the site containing the jailbreaking code is currently blocked as shown below.
Thanks to Product Manager Warren Tsai for providing the details on the exploits used.
Update as of August 5, 2010, 3:04 a.m. UTC
Trend Micro now detects the PDF files used for this as TROJ_PIDIEF.HLA.
Although there is no malicious payload currently linked to the said file, it could very easily be used for malicious attacks. As Advanced Threats Researcher Joey Costoya states, At this point, anybody could just create a PDF file with malicious payload using the same exploit. They already have the exploit PDF available publicly (via the jailbreak site). All they need now is to modify the exploit payload.
Update as of August 12, 2010, 3:11 a.m. UTC
Apple released security updates to address the vulnerabilities used for the jailbreak. The advisory describes the vulnerabilities as a stack buffer overflow vulnerability which exists in FreeType’s handling of CFF opcodes and an integer overflow vulnerability in the handling of IOSurface properties. iPhone, iPod and iPad users are strongly advised to apply the updates as soon as possible.